I'm using the WSHttp binding for message security with a non-WCF system. The other system doesn't have a complete security implementation, and in particular it doesn't know how to process message timestamps. How can I disable verification of the security timestamps in messages without turning off security?
Timely delivery of data is always a concern in messaging systems. Security has a special interest in delivery times because short, expiring time windows are often very effective at limiting the attack surface of a message exchange. It is possible to disable the generation and checking of these timestamps, although you should be aware that doing so does leave your system a little less secure.
Since I knew there was a setting for timestamp generation somewhere, I very quickly looked through the WSHttp binding to see if I could find it. When I couldn't find it on the binding, I simply went back to the binding elements and found it there on the security binding element. That means we can use our standard method for deriving a custom binding from one of the standard bindings.
WSHttpBinding oldBinding = new WSHttpBinding();
BindingElementCollection elements = oldBinding.CreateBindingElements();
elements.Find<SecurityBindingElement>().IncludeTimestamp = false;
CustomBinding newBinding = new CustomBinding(elements);
Next time: Using XML Serialization with WCF